* [Buildroot] [PATCH v2] package/avahi: add upstream security fix
@ 2019-03-12 23:46 Artem Panfilov
2019-03-14 21:00 ` Thomas Petazzoni
2019-03-25 20:22 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Artem Panfilov @ 2019-03-12 23:46 UTC (permalink / raw)
To: buildroot
Fixes CVE-2017-6519: avahi-daemon in Avahi through 0.6.32 and 0.7
inadvertently responds to IPv6 unicast queries with source addresses
that are not on-link, which allows remote attackers to cause a denial
of service (traffic amplification) and may cause information leakage
by obtaining potentially sensitive information from the responding
device via port-5353 UDP packets.
Signed-off-by: Artem Panfilov <panfilov.artyom@gmail.com>
---
Changes v1 -> v2:
- add "Signed-off-by" and "Backported from" tags in patch
---
...ast-queries-from-address-not-on-loca.patch | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 package/avahi/0001-Drop-legacy-unicast-queries-from-address-not-on-loca.patch
diff --git a/package/avahi/0001-Drop-legacy-unicast-queries-from-address-not-on-loca.patch b/package/avahi/0001-Drop-legacy-unicast-queries-from-address-not-on-loca.patch
new file mode 100644
index 0000000000..0e8408c830
--- /dev/null
+++ b/package/avahi/0001-Drop-legacy-unicast-queries-from-address-not-on-loca.patch
@@ -0,0 +1,48 @@
+From e111def44a7df4624a4aa3f85fe98054bffb6b4f Mon Sep 17 00:00:00 2001
+From: Trent Lloyd <trent@lloyd.id.au>
+Date: Sat, 22 Dec 2018 09:06:07 +0800
+Subject: [PATCH] Drop legacy unicast queries from address not on local link
+
+When handling legacy unicast queries, ensure that the source IP is
+inside a subnet on the local link, otherwise drop the packet.
+
+Fixes #145
+Fixes #203
+CVE-2017-6519
+CVE-2018-100084
+
+Backported from: e111def44a7df4624a4aa3f85fe98054bffb6b4f
+Signed-off-by: Artem Panfilov <panfilov.artyom@gmail.com>
+---
+ avahi-core/server.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/avahi-core/server.c b/avahi-core/server.c
+index a2cb19a8..a2580e38 100644
+--- a/avahi-core/server.c
++++ b/avahi-core/server.c
+@@ -930,6 +930,7 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres
+
+ if (avahi_dns_packet_is_query(p)) {
+ int legacy_unicast = 0;
++ char t[AVAHI_ADDRESS_STR_MAX];
+
+ /* For queries EDNS0 might allow ARCOUNT != 0. We ignore the
+ * AR section completely here, so far. Until the day we add
+@@ -947,6 +948,13 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres
+ legacy_unicast = 1;
+ }
+
++ if (!is_mdns_mcast_address(dst_address) &&
++ !avahi_interface_address_on_link(i, src_address)) {
++
++ avahi_log_debug("Received non-local unicast query from host %s on interface '%s.%i'.", avahi_address_snprint(t, sizeof(t), src_address), i->hardware->name, i->protocol);
++ return;
++ }
++
+ if (legacy_unicast)
+ reflect_legacy_unicast_query_packet(s, p, i, src_address, port);
+
+--
+2.19.1
+
--
2.19.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH v2] package/avahi: add upstream security fix
2019-03-12 23:46 [Buildroot] [PATCH v2] package/avahi: add upstream security fix Artem Panfilov
@ 2019-03-14 21:00 ` Thomas Petazzoni
2019-03-25 20:22 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni @ 2019-03-14 21:00 UTC (permalink / raw)
To: buildroot
On Wed, 13 Mar 2019 02:46:51 +0300
Artem Panfilov <panfilov.artyom@gmail.com> wrote:
> Fixes CVE-2017-6519: avahi-daemon in Avahi through 0.6.32 and 0.7
> inadvertently responds to IPv6 unicast queries with source addresses
> that are not on-link, which allows remote attackers to cause a denial
> of service (traffic amplification) and may cause information leakage
> by obtaining potentially sensitive information from the responding
> device via port-5353 UDP packets.
>
> Signed-off-by: Artem Panfilov <panfilov.artyom@gmail.com>
>
> ---
> Changes v1 -> v2:
> - add "Signed-off-by" and "Backported from" tags in patch
> ---
> ...ast-queries-from-address-not-on-loca.patch | 48 +++++++++++++++++++
> 1 file changed, 48 insertions(+)
> create mode 100644 package/avahi/0001-Drop-legacy-unicast-queries-from-address-not-on-loca.patch
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH v2] package/avahi: add upstream security fix
2019-03-12 23:46 [Buildroot] [PATCH v2] package/avahi: add upstream security fix Artem Panfilov
2019-03-14 21:00 ` Thomas Petazzoni
@ 2019-03-25 20:22 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2019-03-25 20:22 UTC (permalink / raw)
To: buildroot
>>>>> "Artem" == Artem Panfilov <panfilov.artyom@gmail.com> writes:
> Fixes CVE-2017-6519: avahi-daemon in Avahi through 0.6.32 and 0.7
> inadvertently responds to IPv6 unicast queries with source addresses
> that are not on-link, which allows remote attackers to cause a denial
> of service (traffic amplification) and may cause information leakage
> by obtaining potentially sensitive information from the responding
> device via port-5353 UDP packets.
> Signed-off-by: Artem Panfilov <panfilov.artyom@gmail.com>
> ---
> Changes v1 -> v2:
> - add "Signed-off-by" and "Backported from" tags in patch
Committed to 2018.02.x, 2018.11.x and 2019.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-03-25 20:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-12 23:46 [Buildroot] [PATCH v2] package/avahi: add upstream security fix Artem Panfilov
2019-03-14 21:00 ` Thomas Petazzoni
2019-03-25 20:22 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.